Merge pull request #105919 from ravisantoshgudimetla/ps-restricted-updates

PodSecurity: OS based updates to restricted standard

staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go

@@ -52,6 +52,11 @@ func CheckAllowPrivilegeEscalation() Check {
 				MinimumVersion: api.MajorMinorVersion(1, 8),
 				CheckPod:       allowPrivilegeEscalation_1_8,
 			},
+			{
+				// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
+				MinimumVersion: api.MajorMinorVersion(1, 25),
+				CheckPod:       allowPrivilegeEscalation_1_25,
+			},
 		},
 	}
 }
@@ -77,3 +82,12 @@ func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev
 	}
 	return CheckResult{Allowed: true}
 }
+
+func allowPrivilegeEscalation_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	// Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set.
+	// We can admit the Windows pod even if privilegeEscalation has not been set.
+	if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
+		return CheckResult{Allowed: true}
+	}
+	return allowPrivilegeEscalation_1_8(podMetadata, podSpec)
+}

staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go

@@ -23,7 +23,66 @@ import (
 	utilpointer "k8s.io/utils/pointer"
 )
 
-func TestAllowPrivilegeEscalation(t *testing.T) {
+func TestAllowPrivilegeEscalation_1_25(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *corev1.Pod
+		expectReason string
+		expectDetail string
+		allowed      bool
+	}{
+		{
+			name: "multiple containers",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{Name: "a"},
+					{Name: "b", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: nil}},
+					{Name: "c", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(true)}},
+					{Name: "d", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(false)}},
+				}}},
+			expectReason: `allowPrivilegeEscalation != false`,
+			expectDetail: `containers "a", "b", "c" must set securityContext.allowPrivilegeEscalation=false`,
+			allowed:      false,
+		},
+		{
+			name: "windows pod, admit without checking privilegeEscalation",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				OS: &corev1.PodOS{Name: corev1.Windows},
+				Containers: []corev1.Container{
+					{Name: "a"},
+				}}},
+			allowed: true,
+		},
+		{
+			name: "linux pod, reject if security context is not set",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				OS: &corev1.PodOS{Name: corev1.Linux},
+				Containers: []corev1.Container{
+					{Name: "a"},
+				}}},
+			expectReason: `allowPrivilegeEscalation != false`,
+			expectDetail: `container "a" must set securityContext.allowPrivilegeEscalation=false`,
+			allowed:      false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := allowPrivilegeEscalation_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			if result.Allowed && !tc.allowed {
+				t.Fatal("expected disallowed")
+			}
+			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+			if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+		})
+	}
+}
+
+func TestAllowPrivilegeEscalation_1_8(t *testing.T) {
 	tests := []struct {
 		name         string
 		pod          *corev1.Pod

staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go

@@ -66,6 +66,12 @@ func CheckCapabilitiesRestricted() Check {
 				CheckPod:         capabilitiesRestricted_1_22,
 				OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
 			},
+			// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
+			{
+				MinimumVersion:   api.MajorMinorVersion(1, 25),
+				CheckPod:         capabilitiesRestricted_1_25,
+				OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
+			},
 		},
 	}
 }
@@ -128,3 +134,12 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1
 	}
 	return CheckResult{Allowed: true}
 }
+
+func capabilitiesRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	// Pod API validation would have failed if podOS == Windows and if capabilities have been set.
+	// We can admit the Windows pod even if capabilities has not been set.
+	if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
+		return CheckResult{Allowed: true}
+	}
+	return capabilitiesRestricted_1_22(podMetadata, podSpec)
+}

staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go

@@ -22,7 +22,63 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-func TestCapabilitiesRestricted(t *testing.T) {
+func TestCapabilitiesRestricted_1_25(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *corev1.Pod
+		expectReason string
+		expectDetail string
+		allowed      bool
+	}{
+		{
+			name: "multiple containers",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{Name: "a", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"FOO", "BAR"}}}},
+					{Name: "b", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"BAR", "BAZ"}}}},
+					{Name: "c", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_BIND_SERVICE", "CHOWN"}, Drop: []corev1.Capability{"ALL", "FOO"}}}},
+				}}},
+			expectReason: `unrestricted capabilities`,
+			expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`,
+		},
+		{
+			name: "windows pod, admit without checking capabilities",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				OS: &corev1.PodOS{Name: corev1.Windows},
+				Containers: []corev1.Container{
+					{Name: "a"},
+				}}},
+			allowed: true,
+		},
+		{
+			name: "linux pod, reject if security context is not set",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				OS: &corev1.PodOS{Name: corev1.Linux},
+				Containers: []corev1.Container{
+					{Name: "a"},
+				}}},
+			expectReason: `unrestricted capabilities`,
+			expectDetail: `container "a" must set securityContext.capabilities.drop=["ALL"]`,
+			allowed:      false,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := capabilitiesRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			if result.Allowed && !tc.allowed {
+				t.Fatal("expected disallowed")
+			}
+			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+			if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+		})
+	}
+}
+
+func TestCapabilitiesRestricted_1_22(t *testing.T) {
 	tests := []struct {
 		name         string
 		pod          *corev1.Pod
@@ -41,7 +97,6 @@ func TestCapabilitiesRestricted(t *testing.T) {
 			expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`,
 		},
 	}
-
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			result := capabilitiesRestricted_1_22(&tc.pod.ObjectMeta, &tc.pod.Spec)

staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go

@@ -55,6 +55,12 @@ func CheckSeccompProfileRestricted() Check {
 				CheckPod:         seccompProfileRestricted_1_19,
 				OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
 			},
+			// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
+			{
+				MinimumVersion:   api.MajorMinorVersion(1, 25),
+				CheckPod:         seccompProfileRestricted_1_25,
+				OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
+			},
 		},
 	}
 }
@@ -136,3 +142,14 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core
 
 	return CheckResult{Allowed: true}
 }
+
+// seccompProfileRestricted_1_25 checks restricted policy on securityContext.seccompProfile field for kubernetes
+// version 1.25 and above
+func seccompProfileRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	// Pod API validation would have failed if podOS == Windows and if secCompProfile has been set.
+	// We can admit the Windows pod even if seccompProfile has not been set.
+	if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
+		return CheckResult{Allowed: true}
+	}
+	return seccompProfileRestricted_1_19(podMetadata, podSpec)
+}

staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go

@@ -22,7 +22,105 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-func TestSeccompProfileRestricted(t *testing.T) {
+func TestSeccompProfileRestricted_1_25(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *corev1.Pod
+		expectReason string
+		expectDetail string
+		allowed      bool
+	}{
+		{
+			name: "no explicit seccomp",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{Name: "a"},
+				},
+			}},
+			expectReason: `seccompProfile`,
+			expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
+		},
+		{
+			name: "no explicit seccomp, windows Pod",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				OS: &corev1.PodOS{Name: corev1.Windows},
+				Containers: []corev1.Container{
+					{Name: "a"},
+				},
+			}},
+			allowed: true,
+		},
+		{
+			name: "no explicit seccomp, linux pod",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				OS: &corev1.PodOS{Name: corev1.Linux},
+				Containers: []corev1.Container{
+					{Name: "a"},
+				},
+			}},
+			expectReason: `seccompProfile`,
+			expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
+			allowed:      false,
+		},
+		{
+			name: "pod seccomp invalid",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}},
+				Containers: []corev1.Container{
+					{Name: "a", SecurityContext: nil},
+				},
+			}},
+			expectReason: `seccompProfile`,
+			expectDetail: `pod must not set securityContext.seccompProfile.type to "Unconfined"`,
+		},
+		{
+			name: "containers seccomp invalid",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}},
+				Containers: []corev1.Container{
+					{Name: "a", SecurityContext: nil},
+					{Name: "b", SecurityContext: &corev1.SecurityContext{}},
+					{Name: "c", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}},
+					{Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}},
+					{Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
+					{Name: "f", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
+				},
+			}},
+			expectReason: `seccompProfile`,
+			expectDetail: `containers "c", "d" must not set securityContext.seccompProfile.type to "Unconfined"`,
+		},
+		{
+			name: "pod nil, container fallthrough",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{Name: "a", SecurityContext: nil},
+					{Name: "b", SecurityContext: &corev1.SecurityContext{}},
+					{Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
+					{Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
+				},
+			}},
+			expectReason: `seccompProfile`,
+			expectDetail: `pod or containers "a", "b" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := seccompProfileRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			if result.Allowed && !tc.allowed {
+				t.Fatal("expected disallowed")
+			}
+			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+			if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+		})
+	}
+}
+
+func TestSeccompProfileRestricted_1_19(t *testing.T) {
 	tests := []struct {
 		name         string
 		pod          *corev1.Pod

staging/src/k8s.io/pod-security-admission/test/fixtures.go

@@ -26,14 +26,37 @@ import (
 	"k8s.io/utils/pointer"
 )
 
-// minimalValidPods holds minimal valid pods per-level per-version.
+// minimalValidPods holds minimal valid OS neutral pods per-level per-version.
 // To get a valid pod for a particular level/version, use getMinimalValidPod().
 var minimalValidPods = map[api.Level]map[api.Version]*corev1.Pod{}
 
+// minimalValidLinuxPods holds minimal valid linux pods per-level per-version.
+// To get a valid pod for a particular level/version, use getMinimalValidPod().
+var minimalValidLinuxPods = map[api.Level]map[api.Version]*corev1.Pod{}
+
+// minimalValidWindowsPods holds minimal valid Windows pods per-level per-version.
+// To get a valid pod for a particular level/version, use getMinimalValidPod().
+var minimalValidWindowsPods = map[api.Level]map[api.Version]*corev1.Pod{}
+
+func addLinux(pod *corev1.Pod) *corev1.Pod {
+	copyPod := pod.DeepCopy()
+	copyPod.Spec.OS = &corev1.PodOS{Name: corev1.Linux}
+	return copyPod
+}
+
+func addWindows(pod *corev1.Pod) *corev1.Pod {
+	copyPod := pod.DeepCopy()
+	copyPod.Spec.OS = &corev1.PodOS{Name: corev1.Windows}
+	return copyPod
+}
+
 func init() {
+	// These are the OS neutral pods
 	minimalValidPods[api.LevelBaseline] = map[api.Version]*corev1.Pod{}
 	minimalValidPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{}
 
+	minimalValidLinuxPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{}
+	minimalValidWindowsPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{}
 	// Define minimal valid baseline pod.
 	// This must remain valid for all versions.
 	baseline_1_0 := &corev1.Pod{Spec: corev1.PodSpec{
@@ -50,6 +73,8 @@ func init() {
 		p.Spec.SecurityContext = &corev1.PodSecurityContext{RunAsNonRoot: pointer.BoolPtr(true)}
 	})
 	minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = restricted_1_0
+	minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = addLinux(restricted_1_0)
+	minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = addWindows(restricted_1_0)
 
 	// 1.8+: allowPrivilegeEscalation=false
 	restricted_1_8 := tweak(restricted_1_0, func(p *corev1.Pod) {
@@ -57,6 +82,8 @@ func init() {
 		p.Spec.InitContainers[0].SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: pointer.BoolPtr(false)}
 	})
 	minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = restricted_1_8
+	minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = addLinux(restricted_1_8)
+	minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = addWindows(restricted_1_8)
 
 	// 1.19+: seccompProfile.type=RuntimeDefault
 	restricted_1_19 := tweak(restricted_1_8, func(p *corev1.Pod) {
@@ -66,6 +93,8 @@ func init() {
 		}
 	})
 	minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = restricted_1_19
+	minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = addLinux(restricted_1_19)
+	minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = addWindows(restricted_1_19)
 
 	// 1.22+: capabilities.drop=["ALL"]
 	restricted_1_22 := tweak(restricted_1_19, func(p *corev1.Pod) {
@@ -73,9 +102,19 @@ func init() {
 		p.Spec.InitContainers[0].SecurityContext.Capabilities = &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}
 	})
 	minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = restricted_1_22
+	minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addLinux(restricted_1_22)
+	minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addWindows(restricted_1_22)
+
+	// 1.25+: OS specific changes
+	minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_22
+	minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = addLinux(restricted_1_22)
+	// none of the restricted requirements added between 1.0 and 1.25 apply to the pods that are explicitly Windows
+	restricted_1_25_windows := addWindows(restricted_1_0)
+	minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_25_windows
+
 }
 
-// GetMinimalValidPod returns a minimal valid pod for the specified level and version.
+// GetMinimalValidPod returns a minimal valid OS neutral pod for the specified level and version.
 func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, error) {
 	originalVersion := version
 	for {
@@ -90,6 +129,36 @@ func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, erro
 	}
 }
 
+// GetMinimalValidLinuxPod returns a minimal valid linux pod for the specified level and version.
+func GetMinimalValidLinuxPod(level api.Level, version api.Version) (*corev1.Pod, error) {
+	originalVersion := version
+	for {
+		pod, exists := minimalValidLinuxPods[level][version]
+		if exists {
+			return pod.DeepCopy(), nil
+		}
+		if version.Minor() <= 0 {
+			return nil, fmt.Errorf("no valid pod fixture found in specified or older versions for %s/%s", level, originalVersion.String())
+		}
+		version = api.MajorMinorVersion(version.Major(), version.Minor()-1)
+	}
+}
+
+// GetMinimalValidWindowsPod returns a minimal valid windows pod for the specified level and version.
+func GetMinimalValidWindowsPod(level api.Level, version api.Version) (*corev1.Pod, error) {
+	originalVersion := version
+	for {
+		pod, exists := minimalValidWindowsPods[level][version]
+		if exists {
+			return pod.DeepCopy(), nil
+		}
+		if version.Minor() <= 0 {
+			return nil, fmt.Errorf("no valid pod fixture found in specified or older versions for %s/%s", level, originalVersion.String())
+		}
+		version = api.MajorMinorVersion(version.Major(), version.Minor()-1)
+	}
+}
+
 // fixtureGenerators holds fixture generators per-level per-version.
 // To add generators, use registerFixtureGenerator().
 // To get fixtures for a particular level/version, use getFixtures().

staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go

@@ -38,6 +38,9 @@ func init() {
 			return nil
 		},
 		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			if p.Spec.OS != nil && p.Spec.OS.Name == corev1.Windows {
+				return []*corev1.Pod{}
+			}
 			return []*corev1.Pod{
 				// explicit true
 				tweak(p, func(p *corev1.Pod) {

staging/src/k8s.io/pod-security-admission/test/fixtures_test.go

@@ -46,8 +46,6 @@ func TestFixtures(t *testing.T) {
 
 	defaultChecks := policy.DefaultChecks()
 
-	const newestMinorVersionToTest = 23
-
 	policyVersions := computeVersionsToTest(t, defaultChecks)
 	newestMinorVersionWithPolicyChanges := policyVersions[len(policyVersions)-1].Minor()
 
@@ -61,11 +59,25 @@ func TestFixtures(t *testing.T) {
 			failDir := filepath.Join("testdata", string(level), fmt.Sprintf("v1.%d", version), "fail")
 
 			// render the minimal valid pod fixture
-			validPod, err := GetMinimalValidPod(level, api.MajorMinorVersion(1, version))
+			osNeutralPod, err := GetMinimalValidPod(level, api.MajorMinorVersion(1, version))
 			if err != nil {
 				t.Fatal(err)
 			}
-			expectedFiles.Insert(testFixtureFile(t, passDir, "base", validPod))
+			expectedFiles.Insert(testFixtureFile(t, passDir, "base", osNeutralPod))
+			// Don't generate OS specific pods when version < 1.25 as pod os field based restriction is not enabled.
+			if level == api.LevelRestricted && version >= podOSBasedRestrictionEnabledVersion {
+				linuxPod, err := GetMinimalValidLinuxPod(level, api.MajorMinorVersion(1, version))
+				if err != nil {
+					t.Fatal(err)
+				}
+				expectedFiles.Insert(testFixtureFile(t, passDir, "base_linux", linuxPod))
+
+				windowsPod, err := GetMinimalValidWindowsPod(level, api.MajorMinorVersion(1, version))
+				if err != nil {
+					t.Fatal(err)
+				}
+				expectedFiles.Insert(testFixtureFile(t, passDir, "base_windows", windowsPod))
+			}
 
 			// render check-specific fixtures
 			checkIDs, err := checksForLevelAndVersion(defaultChecks, level, api.MajorMinorVersion(1, version))

staging/src/k8s.io/pod-security-admission/test/run.go

@@ -36,6 +36,11 @@ import (
 	"k8s.io/pod-security-admission/policy"
 )
 
+const (
+	newestMinorVersionToTest            = 25
+	podOSBasedRestrictionEnabledVersion = 25
+)
+
 // Options hold configuration for running integration tests against an existing server.
 type Options struct {
 	// ClientConfig is a client configuration with sufficient permission to create, update, and delete
@@ -115,13 +120,28 @@ func computeVersionsToTest(t *testing.T, checks []policy.Check) []api.Version {
 		}
 	}
 
+	for _, versionsForLevel := range minimalValidLinuxPods {
+		for version := range versionsForLevel {
+			if version.Major() != 1 {
+				t.Fatalf("expected major version 1, got %d", version.Major())
+			}
+			seenVersions[version] = true
+		}
+	}
+
+	for _, versionsForLevel := range minimalValidWindowsPods {
+		for version := range versionsForLevel {
+			if version.Major() != 1 {
+				t.Fatalf("expected major version 1, got %d", version.Major())
+			}
+			seenVersions[version] = true
+		}
+	}
+
 	alwaysIncludeVersions := []api.Version{
 		// include the oldest version by default
 		api.MajorMinorVersion(1, 0),
-		// include the release under development (1.23 at time of writing).
-		// this can be incremented to the current version whenever is convenient.
-		// TODO: find a way to use api.LatestVersion() here
-		api.MajorMinorVersion(1, 23),
+		api.MajorMinorVersion(1, newestMinorVersionToTest),
 	}
 	for _, version := range alwaysIncludeVersions {
 		seenVersions[version] = true
@@ -296,13 +316,36 @@ func Run(t *testing.T, opts Options) {
 				}
 			}
 
-			minimalValidPod, err := GetMinimalValidPod(level, version)
+			minimalValidOSNeutralPod, err := GetMinimalValidPod(level, version)
 			if err != nil {
 				t.Fatal(err)
 			}
+			var minimalValidLinuxPod, minimalValidWindowsPod *corev1.Pod
+			if level == api.LevelRestricted && version.Minor() >= podOSBasedRestrictionEnabledVersion {
+				minimalValidLinuxPod, err = GetMinimalValidLinuxPod(level, version)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				minimalValidWindowsPod, err = GetMinimalValidWindowsPod(level, version)
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
+
 			t.Run(ns+"_pass_base", func(t *testing.T) {
-				createPod(t, 0, minimalValidPod.DeepCopy(), true, "")
-				createController(t, 0, minimalValidPod.DeepCopy(), true, "")
+				createPod(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "")
+				createController(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "")
+				if minimalValidLinuxPod != nil && minimalValidWindowsPod != nil {
+					// Linux specific pods
+					createPod(t, 0, minimalValidLinuxPod.DeepCopy(), true, "")
+					createController(t, 0, minimalValidLinuxPod.DeepCopy(), true, "")
+
+					// Windows specific pods
+					createPod(t, 0, minimalValidWindowsPod.DeepCopy(), true, "")
+					createController(t, 0, minimalValidWindowsPod.DeepCopy(), true, "")
+				}
+
 			})
 
 			checkIDs, err := checksForLevelAndVersion(opts.Checks, level, version)

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: unconfined
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
+  name: apparmorprofile1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline0.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - NET_RAW
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline1.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities:
+        add:
+        - NET_RAW
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline2.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - chown
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline3.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - CAP_CHOWN
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces0.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  hostIPC: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces1.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  hostNetwork: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces2.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  hostPID: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes0.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  volumes:
+  - emptyDir: {}
+    name: volume-emptydir
+  - hostPath:
+      path: /a
+    name: volume-hostpath

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes1.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  volumes:
+  - hostPath:
+      path: /a
+    name: volume-hostpath-a
+  - hostPath:
+      path: /b
+    name: volume-hostpath-b

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports0.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports1.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports2.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+    - containerPort: 12347
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346
+    - containerPort: 12348

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      privileged: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      privileged: true
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      procMount: Unmasked
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      procMount: Unmasked
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: Unconfined

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline1.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline2.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions0.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      type: somevalue

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions1.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions:
+        type: somevalue
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions2.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions:
+        type: somevalue
+  securityContext:
+    seLinuxOptions: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions3.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      user: somevalue

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions4.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions4
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      role: somevalue

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/sysctls0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    sysctls:
+    - name: othersysctl
+      value: other

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess0.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      windowsOptions: {}
+  hostNetwork: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      windowsOptions: {}
+  securityContext:
+    windowsOptions:
+      hostProcess: true

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess1.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      windowsOptions:
+        hostProcess: true
+  hostNetwork: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      windowsOptions:
+        hostProcess: true
+  securityContext:
+    windowsOptions: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/apparmorprofile0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/base.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: base
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/capabilities_baseline0.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/hostports0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/privileged0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      privileged: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      privileged: false
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/procmount0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      procMount: Default
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      procMount: Default
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/seccompprofile_baseline0.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions1.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions:
+        level: somevalue
+        type: container_init_t
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions:
+        type: container_kvm_t
+  securityContext:
+    seLinuxOptions:
+      type: container_t

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls0.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls1.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    sysctls:
+    - name: kernel.shm_rmid_forced
+      value: "0"
+    - name: net.ipv4.ip_local_port_range
+      value: 1024 65535
+    - name: net.ipv4.tcp_syncookies
+      value: "0"
+    - name: net.ipv4.ping_group_range
+      value: 1 0
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "1024"

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: unconfined
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
+  name: apparmorprofile1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline0.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - NET_RAW
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline1.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities:
+        add:
+        - NET_RAW
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline2.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - chown
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline3.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - CAP_CHOWN
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces0.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  hostIPC: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces1.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  hostNetwork: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces2.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  hostPID: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes0.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  volumes:
+  - emptyDir: {}
+    name: volume-emptydir
+  - hostPath:
+      path: /a
+    name: volume-hostpath

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes1.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  volumes:
+  - hostPath:
+      path: /a
+    name: volume-hostpath-a
+  - hostPath:
+      path: /b
+    name: volume-hostpath-b

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports0.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports1.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports2.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+    - containerPort: 12347
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346
+    - containerPort: 12348

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      privileged: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      privileged: true
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      procMount: Unmasked
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      procMount: Unmasked
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: Unconfined

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline1.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline2.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions0.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      type: somevalue

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions1.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions:
+        type: somevalue
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions2.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions:
+        type: somevalue
+  securityContext:
+    seLinuxOptions: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions3.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      user: somevalue

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions4.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions4
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      role: somevalue

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/sysctls0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    sysctls:
+    - name: othersysctl
+      value: other

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess0.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      windowsOptions: {}
+  hostNetwork: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      windowsOptions: {}
+  securityContext:
+    windowsOptions:
+      hostProcess: true

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess1.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      windowsOptions:
+        hostProcess: true
+  hostNetwork: true
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      windowsOptions:
+        hostProcess: true
+  securityContext:
+    windowsOptions: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/apparmorprofile0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/base.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: base
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/capabilities_baseline0.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/hostports0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/privileged0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      privileged: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      privileged: false
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/procmount0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      procMount: Default
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      procMount: Default
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/seccompprofile_baseline0.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions1.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions:
+        level: somevalue
+        type: container_init_t
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions:
+        type: container_kvm_t
+  securityContext:
+    seLinuxOptions:
+      type: container_t

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls0.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls1.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    sysctls:
+    - name: kernel.shm_rmid_forced
+      value: "0"
+    - name: net.ipv4.ip_local_port_range
+      value: 1024 65535
+    - name: net.ipv4.tcp_syncookies
+      value: "0"
+    - name: net.ipv4.ping_group_range
+      value: 1 0
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "1024"

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation0.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: true
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation1.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: true
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation2.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation3.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile0.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: unconfined
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile1.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
+  name: apparmorprofile1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline0.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_RAW
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline1.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_RAW
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline2.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - chown
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline3.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - CAP_CHOWN
+        drop:
+        - ALL
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault